Tech Brainwave

A Road Map for Innovative Technologies

Steps to configure Verisign SSL certificate in Oracle Glassfish

Posted by giftsam Posted on Jun - 24 - 2010

Introduction
Customers always expects their business application should be scalable, distributed, component-based, mission-critical and more secured. Mostly they will expect the transaction processed between the client and server in their application should be very secured. SSL certificate verification is a way to accomplish this. First let me give a small intro about SSL and Verisign.

SSL
Secured Socket Layer(SSL) is a protocol used in the application to transmit information between the client and server securely. Inorder to establish a secure SSL connection, our application should have an encryption key assigned to it by a Certification Authority in the form of a Certificate. Once it has a unique key of its own, you can establish a secure connection using the SSL protocol.

Verisign
VeriSign is the leading Secure Sockets Layer (SSL) Certificate Authority, which provides back and forth secure transaction for the web applications. Verisign certificated are commercial, But we can get a trial version inorder to experience the verisign secured transaction. In this article, Let us see how to configure the VeriSign Trial SSL Certificate for Oracle Glassfish server(Previously called as Sun Glassfish) to make our application more secured.

Things You’ll Need

  1. Oracle Glassfish Server.
  2. JDK 1.5 and above.
  3. Verisign Trial SSL Certificate(Download)

Configure SSL Certificate
Six easy steps are required to configure Verisign SSL certificate for Oracle Glassfish Server, they are

Step1Generate a private key in keystore.jks
Java Keytool stores the keys and certificates  in the keystore file. In Oracle Glassfish Server, keystore.jks file lodged in the directory domains/domain1(Our domain name)/config/keystore.jks. The following command is used to generate the key store



keytool -genkey -alias certificatekey -keysize 1024 -keyalg RSA  -keystore keystore.jks -dname  "CN=localhost,OU=Testing,O=Java,L=GeorgeTown,S=Penang,C=MY"


The abbrevation of CN is common name and it should be any one of the following

  • Our domain name(eg: www.mydomain.com)
  • localhost(Our reserved Domain)
  • IP Address(eg: 192.168.0.60)

After executing the preceding command, we will be asked for the keystore password. The default keystore password is ‘changeit’ and the image of the command prompt looks like the below,

Step2Generate a Certificate Signing Request(CSR)
In Step2, Let us generate a Certificate Signing request by executing the following command. This should be done before downloading a Verisign Trial Certificate.



keytool -certreq -alias certificatekey -sigalg SHA1WithRSA -keystore  keystore.jks -file certrequestkey.csr


Same keystore password ‘changeit‘ should be given while executing the CSR command and the image of the command prompt looks like the below,

keystore file is very important though it contains the private key. So better backup the key store file.

Step 3- Process the Verisign SSL Certificate
In Step3, Once the CSR is generated. Next we should request the Verisign Trial Certificate in the Verisign official site. After that they will send an email which contains the Verisign Trial SSL Certificate in the bottom of the mail along with Test Root CA Certificate and Trial Intermediate CA Certificate. Sample Verisign Trial SSL Certificate looks like the below,

—–BEGIN CERTIFICATE—–
MIIFUTCCBDmgAwIBAgIQFpK+

ie1EgRhMrbv7hjuspjANBgkqhkiG9w0BAQUFADCB

yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL

EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV

BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz

L3Rlc3RjYSAoYykwOTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl

cnZlciBDQSAtIEcyMB4XDTEwMDYxNzAwMDAwMFoXDTEwMDcwMTIzNTk1OVowgakx

CzAJBgNVBAYTAk1ZMREwDwYDVQQIEwhTZWxhbmdvcjETMBEGA1UEBxQKU3ViYW5n

SmF5YTENMAsGA1UEChQESmF2YTEQMA4GA1UECxQHVGVzdGluZzE6MDgGA1UECxQx

VGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vY3BzL3Rlc3RjYSAoYykw

NTEVMBMGA1UEAxQMMTkyLjE2OC4wLjI4MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB

dBmmLkNoBARziNJPsbH3qfmQ0J5X

—–END CERTIFICATE—–

Once you got the email, Cut and copy the Verisign Trial SSL Certificate and save the file with ‘cer’ suffix . For this article I’l name the Trail SSL Certificate as trialsslcert.cer. Also the email contains three links which has the Test Root CA Certificate and Trial Intermediate CA Certificate. Cut and copy, then store the Trial Test Root CA Certificate in testrootcert.cer and the Trial Intermediate CA Certificate in testintermediatecert.cer file.

Step4 – Import the Trial Certificates
In step4, we should import the Trial Test Root CA Certificate in keystore.jks and cacerts.jks file. This can be accomplished by two ways, they are

Way 1
Manually import the certificates by executing the keytool command,



<keytool -import -v -trustcacerts -alias verisigntestroot -file testrootcert.cer -keystore keystore.jks




keytool -import -v -trustcacerts -alias verisigntestroot - file testrootcert.cer -keystore cacerts.jks


After importing the Trial Test Root CA Certificate, import the Verisign Trial SSL Certificate to the keystore.jks file using the following command,



keytool -import -v -alias certificatekey -file trialsslcert.cer -keystore keystore.jks


Thats it. You had imported the certificates. Take a look on the otherway also. Its quite simple when compared to the way1.

Way 2
If you find quite hard to import the certificates manually. Here is a java code, Just we need to enter the path of the keystore.jks file, path of the Verisign Trial Certificate and the certificate alias as specified in the progam. Thanks for the excellent resource provided in the site javafaq. Below is the complete java program to import the Trial Verisign Certificate,



package com.sample.javaapplication;

import java.io.*;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.Collection;

/**
*
* @author Giftsam
*/
public class SSLImporter
{
private void importTrialCertificate()
{
/**
* Path of the Verisign Trial SSL Certificate
*/
String sslCertificatePath = "c:" + File.separator + "Program Files" + File.separator + "java" +
File.separator + "jre6" + File.separator + "bin" + File.separator + "trialsslcert.cer";
/**
* Path of the keystore.jks file
*/
String keystorePath = "c:" + File.separator + "Program Files" + File.separator +
"java" + File.separator + "jre6" + File.separator + "bin"+ File.separator + "keystore.jks";
String keystorePassword = "changeit";
/**
* Certificate alias name.
*/
String certificateAliasName = "certificatekey";
File certificateFile = new File(sslCertificatePath);
File keyStoreFile = new File(keystorePath);

if (certificateFile.exists() &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp; keyStoreFile.exists())
{
Collection<? extends Certificate> certificates = null;
try
{
FileInputStream fileInputStream =
new FileInputStream(sslCertificatePath);
CertificateFactory certificateFactory =
CertificateFactory.getInstance("X.509");

certificates = certificateFactory.generateCertificates(fileInputStream);
char[] passwordCharArray =
keystorePassword.toCharArray();
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(keystorePath),
passwordCharArray);

Key key = keystore.getKey(certificateAliasName,
passwordCharArray);
Certificate[] certificatechain = certificates.toArray(new Certificate[0]);
keystore.setKeyEntry(certificateAliasName, key,
passwordCharArray, certificatechain);
keystore.store(new FileOutputStream(
keystorePath), passwordCharArray);
}
catch (Exception ex)
{
ex.printStackTrace();
}
}
else
{
System.out.println("File Doesn't exist");
}
}

public static void main(String[] args) throws Exception
{
new SSLImporter().importTrialCertificate();
}
}


Next we should verify the certificates.

Step5 – Verify the imported certificates
In step5, we can verify the imported certificate by using the following command,



keytool -list -v -alias certificatekey -keystore keystore.jks


Same keystore password ‘changeit‘ should be given while executing the preceding command and the image of the command prompt looks like the below,

In the preceding image, If we find the issuer is Verisign . Then we had successfully implemeted the Verisgn SSL certificate.

Step6 – Configure the certificate alias in Glassfish admin console
In step6, Let us configure the certificate alias in the HTTP Listeners and IIOP Listeners using the Glassfish admin console.

Configure HTTP Listeners
Click Configuration –> HTTP Service –> HTTP Listeners > http-listener-2 in the admin console and make sure SSL3 and TLS check box is selected. The configuration will look like the image given below,

Configure IIOP Listeners
Click Configuration –> ORB –> IIOP Listeners –> SSL / SSL_MUTUALAUTH in the admin console and make sure SSL3 and TLS check box is selected. The configuration will look like the image given below,

Now the Verisign SSL configuration for Oracle Glassfish Server is completed. If you type https://localhost:8181/ in the browser your certificate verification will look like the image below,

Thats all folks. I hope this article clearly explains the configuration of Verisign Trial SSL certificate in Oracle Glassfish Server. If you find this article is useful for you, dont forget to leave your valuable comments. Have a joyous code day.

Step2Generate a Certificate Signing Request(CSR)

8 Responses so far.

  1. Kris says:

    Thanks for sharing this. Can you add little bit of information about setting up client authentication as well?

    Thanks.

    Thumb up 1 Thumb down 0

    [Reply]

  2. habeeb says:

    hello

    i need trail verising to training purpose.

    Thumb up 0 Thumb down 0

    [Reply]

  3. [...] or other certificate authority should be exported. For exporting verisign certificates, the article “Steps to configure Verisign certificate for Oracle Glassfish Server” would be helpful. In this article, Let us see how to export a self signed certificate. The [...]

    Thumb up 0 Thumb down 0

  4. Hi,

    I got the Trial version of verisign certificate and also i have configured with Glassfish server as the steps explained. But finally when run the URL https://localhost:8181/,i got the error as

    Secure Connection Failed
    An error occurred during a connection to localhost:8181.

    Peer’s certificate has an invalid signature.
    (Error code: sec_error_bad_signature)

    How can we fix this issue?. Why the certificate is not shown on the scren?. Did i miss anything on the steps?

    I would appreciate your help please.

    Regards,
    Periyasamy

    Thumb up 0 Thumb down 0

    [Reply]

  5. giftsam says:

    Hi Periyasamy,
    I reckon the error is due to the invalid or corrupt certificate. I suggest you to reregister an other trial certificate. Also check with the other browsers. If the problem exists again please come back to me.
    Thanks – Gift Sam

    Thumb up 0 Thumb down 0

    [Reply]

  6. praesne says:

    pls guide me the same with certutil tool.

    Thanks in advance.

    Thumb up 0 Thumb down 0

    [Reply]

  7. I believe that is one of the most important information for me. And i am happy reading your article. But want to observation on some basic things, The web site style is wonderful, the articles is truly nice : D. Excellent activity, cheers

    Thumb up 0 Thumb down 0

    [Reply]